6 Real Reasons Why SOC Outsourcing Fails
Date: 2 August 2022
SOCs or Security Operations Centres have become essential to modern-day cybersecurity. A SOC is a 24X7 operation that gives you access to people and technologies capable of identifying and responding to potential threats to your business.
However, not all businesses have the budgets or the capacity to have in-house SOCs and that's why many smaller to medium ones typically opt for outsourced SOCs. It’s also not easy to find talent who can successfully manage the in-house SOC. Further, in the day and age of remote working, it’s hard to constantly scale up the SOC such that it can keep up with the ever-growing network perimeter of the business.
With all these challenges in mind, more and more businesses are opting to outsource their Security Operations Centres, but alas only to find new challenges on their path to greater cyber resilience and compliance.
Our CEO and Co-Founder, Amar Singh, recently took a critical look at outsourced SOC operations and why they fail in a recent LinkedIN post.
Apart from the several ‘Likes’ this post garnered, many of Amar’s peers lauded him for calling a spade a spade and speaking the truth on a controversial subject that many in the industry may not have the pluck to talk about.
Todd L. Bell, CISO at Valleywise Health said, “Always appreciate your valuable insights Amar. Over the years, I have ended up cancelling SOC contracts despite the "perceived" cost savings and big security event misses that put our business at greater risk.” Many others chimed in with similar points of view and added valuable insights.
Here’s a quick look at the 6 reasons Amar pointed out behind the failure of most outsourced SOCs. If you want to share your opinion on the subject and add to/contradict the reasons mentioned, feel free to comment here.
1. Lack of Cyber Incident Planning & Response (CIPR): One of the main reasons why outsourced SOCs fail has nothing to do with the SOC provider. The reason is mostly internal. A large number of businesses have no planning on cyber incident response. They feel they can wish away this problem by outsourcing the SOC.
As Amar says, “No outsourcer can plan for you. You need to conduct your Cyber Incident Planning & Response sessions, before and during your outsourcing.”
The solution as he mentioned in his post and many concurred in the comments is conducting proper Cyber Incident Planning & Response sessions. Non-technical training on effective Incident Response can be a gamechanger for your organisational cyber resilience and there’s no two ways about it.
You can start by checking out our NCSC-Certified Cyber Incident Planning and Response training course and downloading our Cyber Incident Response Plan template.
2. No Responsibility and/or Accountability: Most organisations wrongly assume that the outsourcer is now accountable for everything that goes wrong, every data breach and the overall incident response function. This is far from the truth.
The SOC is definitely responsible for monitoring your network and security events but you cannot wash your hands off all responsibility and accountability for how your organisation responds to an incident.
The only way to fix this problem is to create a clear internal understanding of who is responsible for what and who is accountable. This can be achieved through regular Cyber Crisis Tabletop Exercises. During the simulated attack scenario of the exercise, all participants are forced to think about what actions they’ll take and how they’ll respond and this helps to clarify, to a large extent, what each department/role/head must do in case of an actual crisis.
“You are still accountable for ensuring you respond and recover with little or zero impact,” says Amar.
Theo Botha, one of the commentators on the post, added to this point with: “The outsourced partner should just be that…a partner extending your internal capability, but you should still be accountable for designing IR etc. I agree. Meet the analyst often to give them that context.”
3. Lack of Clarity on Why You’re Outsourcing: Yes, you may know that you’re outsourcing the SOC because it leads to higher ROI or saved costs in the long run. But what experts believe you must do is define clear outcomes/expectations that you hope to achieve with the SOC. Merely defining the KPIs and metrics are not enough. A clear vision is important here.
Amar explains that the way to deal with this problem is to create a benefits/outcome statement as far as the outsourced SOC goes and ensure that all stakeholders understand and agree on the statement. When there is complete clarity on what the outsourced SOC is meant to achieve, tracking success or identifying gaps becomes much easier, leading to better results.
4 & 5. Clueless/Understaffed Outsourcer & Poor evaluation: (Of course, there are a few great outsourcers).
This point is vital because everyone needs to appreciate the fact that SOC outsourcers are facing the same talent crunch and skilled-staff challenge like everybody else in the industry.
At Cyber Management Alliance, we’ve had to 'save' several outsources from 'Help, we have a very high staff turnover and our clients are unhappy' and other such situations.
Amar explains this further from personal experience, “Turnover rates are high. Furthermore, staff are often bored! Yes, they joined under the impression that they would be chasing the 'bad hackers'. However, in reality, most SOC analysts are simply opening and closing boring events. Don't simply fall for the typical 'our analysts have hundreds of certifications'.”
Visit the outsourcer you’re planning on going with and ask to speak to the analysts. Ask to see the TOTAL number of SOC analysts they have. Ask the SOC to walk you through REAL LIFE attacks, how they detected them and what they did to respond and remediate. These are the only sure shot ways of dealing with this most pertinent challenge with outsourced SOCs.
In the comments section of the post, Ian Campbell, Cyber Security Operations Lead at UK Power Networks corroborated this point: “100% agree - Ask to speak to the people doing the role, NOT the sales people you will never see after signing!”
6. No Organisational Context: If you’ve ever been involved in Security Operations or know what a SOC is, you know that context is EVERYTHING. But the staff at your outsourced SOC provider aren’t your employees and they don’t have context.
There is little to no allegiance to you or your business. Consequently, most outsourced staff have LITTLE to NO organisational context other than what they see on the ticket.
“During our SOC audits we get a blank face and a 'NO' when we pose these questions (1) Explain the business importance of this critical asset and (2) Have you ever seen/worked with this critical asset? (3) Do you know how to attack this critical asset?,” shares Amar in his post.
The only way to fix this issue? Ensure the SOC analyst has the full organisational context and that they spend time with you and the critical asset teams. It is essential to spend time giving the staff at the SOC outsourcer complete information on your critical assets and helping them understand the organisational context to get the most out of their services.
Another comment on the post by Shaun Van Niekerk added a relevant point here: “Don’t purchase a SOC service if you, as the customer, do not have good people in post to manage the SOC relationship/contract and your overall expectations/outcomes.”
While there is no denying the value that an effective outsourced SOC brings to an organisation, there are far too many loopholes in the client-SOC relationship today.
Of course, the outsourced SOC must take complete responsibility for security events and for ensuring that it’s staffed with the right, talented and motivated people, a large part of the onus lies on the business hiring the SOC too.
Choosing your SOC after in-depth due diligence, meeting the people who will actually be working for you and being on the same page with them is critical. Offering them complete organisational context is imperative too.
But what is most important is having a good cyber incident response plan yourself and building awareness of your internal team. It is critical to have smart, skilled people at the helm of your security function. Investing in high-quality Cyber Incident Planning and Response Training is indispensable to ensuring your SOC investment pays off. Paying for one without paying for the other is pretty much pointless.
It is also essential to give your team hands-on experience in dealing with a cyber crisis through Cyber Tabletop Exercises or Ransomware Tabletop Exercises.
Outsourced SOCs are indeed capable of giving you the best bang for your buck. However, you must do the necessary homework yourself to make sure your team has clarity in what it wants done, how it wants it done and what to do in case those plans don’t work out.